[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

m.mescoli at omnib.it m.mescoli at omnib.it
Sun Sep 20 08:59:26 UTC 2009

Peter ha scritto:
> On 09/19/2009 08:22 PM, Darnell wrote:
>> Peter wrote:
>>> On 09/19/2009 04:20 PM, Grant wrote:
>>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>>> Does that exclude me?
>>> No, you are vulnerable if you use a Standard or Foundation based
>>> catalog.  You are vulnerable if you have a search results page that
>>> utilizes the Interchange standard search facilities anywhere, even if
>>> you do not use it.  If you think you might be vulnerable you probably
>>> are.  If you think you are not vulnerable then you still probably are.
>>> I recommend this update for ... pretty much everyone.
>>> Peter
>> I know somethings that have not been address, different language search, 
>> like search in Chinese.
>> Also be able to run multiple stores.
> I don't think this update will affect language searches, but please do
> test it before upgrading your live site.  I am very sure that it does
> not affect multiple stores as I have already run the upgrade for a
> client who has multiple catalogs running off of a single Interchange
> server and I'm sure I'm not the only one.
> That said, if you have multiple catalogs running under a single
> Interchange server and they are accessed by different people who should
> not have access to files from the other catalogs (or indeed from any
> other files on the server itself), then you should definitely perform
> this update because it also addresses a separate security vulnerability
> that allows any catalog to access all files which are accessible to the
> system user that the Interchange server is running under.
> Peter
In my develop server i have quickly updated more catalogs from 5.6.0 to 
5.6.2 without any little problem. Test will continue ...

Marco "Fino alla bara sinpara"
Marco "Up to demise we rise"

More information about the interchange-users mailing list